CVE-2020-5284

MEDIUM EXPLOITED NUCLEI

Zeit Next.js < 9.3.2 - Path Traversal

Title source: rule

Description

Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.

Nuclei Templates (1)

Next.js <9.3.2 - Local File Inclusion

MEDIUMby rootxharsh,iamnoooob,dwisiswant0

Shodan: http.html:"/_next/static" || cpe:"cpe:2.3:a:zeit:next.js"

FOFA: body="/_next/static"

References (2)

[Release Notes] https://github.com/zeit/next.js/releases/tag/v9.3.2

[Third Party Advisory] https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj

Scores

CVSS v3 4.4

EPSS 0.8321

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

VulnCheck KEV 2026-03-23

CWE

CWE-22 CWE-23

Status published

Products (2)

npm/next 0.9.9 - 9.3.2npm

zeit/next.js < 9.3.2

Published Mar 30, 2020

Tracked Since Feb 18, 2026